Apple delivers jumbo security update for Mac OS X

FRAMINGHAM, 13 MAY 2009 - Apple Inc. today patched 67 vulnerabilities in Mac OS X, including two bugs that researchers used in March to walk off with $5,000 each in a noted hacking contest.

Tuesday's update was the largest for Apple since March 2008.

"For Apple, updates this size are now becoming the norm," said Andrew Storms, director of security operations at nCircle Network Security.

Security Update 2009-002, which was bundled with the upgrade for Leopard to Mac OS X 10.5.7, and available separately for users of Tiger, plugged holes in BIND, CoreGraphics, Disk Images, Flash Player, iChat, Kerberos, QuickDraw Manager, Safari, Spotlight, WebKit and other bits and pieces of the operating system.

More than a third of the vulnerabilities -- 26 of the 67 -- were labeled with Apple's "arbitrary code execution" description, meaning the flaws are critical in nature and could be exploited to hijack a Mac. Unlike many other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses.

Over half of the bugs were in open-source components or applications that Apple integrates with Mac OS X, including the Apache Web server and the WebKit browser rendering engine that powers Safari. "I don't see Apple moving at a faster pace," said Storms, referring to previous criticism that the company consistently patches open-source pieces months after the code has been updated by outside developers. "Some of these I remember patching [on Linux] back in December."

"Open-source continues to be a popular vector for researchers looking for Mac OS X vulnerabilities," Storms continued. Researchers can look for fixed bugs in open-source code, and use that information to reverse-engineer an exploit against Apple's operating system secure in the knowledge that the company hasn't yet pushed out updates.

Apple also fixed three bugs in Flash that Adobe patched back in February, five in the CoreGraphics component that could be exploited by malicious PDF files, and one in the built-in Spotlight search engine that hackers could leverage with a malicious Microsoft Office file.

But the highest-profile vulnerabilities today -- if only because they attracted so much media attention -- were the two bugs used at "Pwn2Own," the annual hacking contest sponsored by 3Com's TippingPoint.

Last March, Charlie Miller, an analyst at Independent Security Evaluators in Baltimore, won $5,000 and a MacBook after using a flaw in the Apple Type Services component of Leopard to break into the laptop in less than 10 seconds. Later that same day, a computer science student from Germany who would only give his first name as Nils exploited Apple's Safari by using a vulnerability in WebKit.

Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser -- which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari -- on March 27.